If you get a "success" message, everything is fine. If not, please tell me which ISP you have and which operating system you have. Please also test the page with any mobile device (phone, tablet) you may have. Thanks.

Also Success here

(Edit) Copied Avij's message ontop of my result, so everyone knows what to do. I think it is not nessersery to reply if you have a "Success"

Thanks for testing. Testing for different browsers is somewhat unnecessary, because if there are problems, they're not at the browser level but elsewhere. Hostnames are resolved to IP addresses at the operating system level, and the ISP's DNS servers also play a role in this. Theoretically it is possible that the same laptop works fine with DNSSEC-enabled domains when used at home, but does not work when used at work due to different ISPs (or vice versa).

Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

The DNSSEC test page has now been accessed from 55 different IP addresses. eurobilltracker.eu (only a redirected domain name nowadays) is now DNSSEC-enabled. I'm planning to enable DNSSEC on eurobilltracker.com in about two weeks.

[technical]
.. so that I'd get to test how the automatic zone signing key generation/publishing/activation/retirement/deletion scripts work at the start of each quarter (January, April, July, October). Key signing keys are automatically generated at the end of the year, but I'll still need to cut&paste the KSKs manually to Gandi (the domain name registrar we're using).
[/technical]

Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

avij wrote:It may be possible that we will block unencrypted logins via the website as well at some point, but no decision about this has been made yet.

I'm thinking of making logins https only from October 1st onwards. In practise, the "Secure login" checkbox will be removed and the secure login mode is selected by default. If you have concerns about this, please let me know.

Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

Regarding DNSSEC, I was asked privately about that by two different persons, so perhaps I'll write the answer here for the benefit of everyone. If you're not into computer science, feel free to stop reading this message now.

DNSSEC's primary use case is to prevent DNS hijacking. With DNSSEC, validating DNS resolvers can check that there's a valid chain of signed zones, starting from root ., then on to .com and finally to .eurobilltracker.com. If there's a mismatch in the signatures somewhere along the path and a validating resolver is in use, the queried address will not resolve to an IP address. Because .com's records indicate that .eurobilltracker.com is signed, any responses from a malicious name server that pretends to be eurobilltracker.com's name server will be ignored because the malicious persons can't generate the correctly signed data themselves.

In all honesty, this has not been a real threat to us. I implemented this primarily because of academic interest. The tools for this are rather good nowadays. Automating everything and figuring out the proper timing for key creation/publishing/activation/revocation/deletion were the parts that required the most thinking. But I'm happy now -- most everything in this is automated, I only have to update the key signing keys to the registries manually once a year. The next time I need to update the KSKs is at the end of the year. If I'm feeling nerdish enough I may automate this step as well. I looked briefly at Gandi's documentation about this, and it seemed fairly straightforward. Zone signing keys are created and installed automatically every three months. Some sources say to create the ZSKs every month, but as I felt there's no particular threat, I'm creating those only every three months to reduce some complexity and to reduce some DNS traffic. When keys are being changed, two of them are active at the same time for a period of time, and it increases the size of the DNS responses. As of now, DNSSEC Visualizer shows that there are two ZSKs, one in use (id 33435) and the other (id 45666) waiting to be activated. Tomorrow the zone will be signed by both of the keys, and on 6th April the zone will be signed with only the new key, and on 8th the old key will be removed. Here's a screenshot of the current situation:

I had done the work for my own personal domains before this, and making eurobilltracker.com DNSSEC-enabled required only creating the keys, publishing the KSK in .com zone and adding eurobilltracker.com to my list of automatically managed zones.

Of course there are also some disadvantages. If some script I use does not work properly, it will cause eurobilltracker.com to become unreachable for those users using a validating DNS server. If you want to know if the DNS server you are using validates the responses, go to DNSSEC Resolver Test and press the "Start test" button. Another disadvantage is that DNSSEC increases the size of the responses, causing more DNS traffic. Some DNS servers can also be used for DDoS by creating requests from a forged source address, and having DNSSEC enabled makes those responses sent to an innocent victim bigger. Therefore I'm limiting the amount of responses per IP address to some sane amount to make EBT's name servers less interesting for DDoS purposes.

Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.

I just entered 53 new Belgian with the wrong shortcode, and I am trying to enter a contact form to change it. However, I get the message "Please enter a valid printer code!", so apparently it doesn't accept Z004 as shortcode. Can somebody have this problem fixed?

Of all the words of mice and men, the saddest are 'It might have been.' - Kurt Vonnegut

Elmo wrote:I just entered 53 new Belgian with the wrong shortcode, and I am trying to enter a contact form to change it. However, I get the message "Please enter a valid printer code!", so apparently it doesn't accept Z004 as shortcode. Can somebody have this problem fixed?

Elmo wrote:I just entered 53 new Belgian with the wrong shortcode, and I am trying to enter a contact form to change it. However, I get the message "Please enter a valid printer code!", so apparently it doesn't accept Z004 as shortcode. Can somebody have this problem fixed?

This is a little bit more complicated than what it might initially look like.. The main problem is that the support system does not currently support requests where it might be possible that the requested printer code (or denomination) would be OK for some of the notes in the request but not OK for some other notes in the request.

Let's take a fictional example of someone asking to change the printer code of all their notes starting with serial X to X001A1. This would only be valid for Europa series notes, and only for denominations 10 and 20. Likewise if the request was to change the X notes' printer code to P001A1, that request would only be valid for non-Europa notes. The same kind of checks would need to be made for changing the denominations, because some resulting combinations might not be vailid.

Although your request was clearly about Europa banknotes, the system is currently not smart enough to figure that out. The tools that the support people use do not have this restriction, because it's assumed that the support people know what they're doing. Changing the notes one by one would also work, because in that situation there's no ambiguity of whether the note is an Europa note or not.

That said, this is clearly a bug. There is already a Babel constant M_SUPPORTERROR_MIX_EUROPA reserved for the error message "When changing the denomination or printer code, it's not allowed to include both Europa and non-Europa banknotes. Please file separate requests for each kind of banknotes." but as the system is currently not capable of detecting whether there would be such problems, the error message is not emitted at all.

Money makes the world go round. We track how the money goes round the world.
EBT Tech WG leader. Do not PM me if your question is not related to Tech WG or the association.